We can see here that the UID value was wrapped to the 2147483647 value (0x7fffffff) followed by a segfault.

We can have some fun with it e.g. creating a user with the 0x7fffffff UID. This way sudo will no longer crash, but it will be called for a different user : ). The bug was tested on the 1.8.5p2 version 32-bit OS. Additional details can be found in the bug report.

Monday, 18 March 2013

When i came back from work today and fired up Skype, multiple messages popped up immediately. Some of them in in English and some in Polish, but all leading to the same url with "pictures" of me ; oo. Another interesting fact was that all the messages came from people working at the same company (zomg APT alert ;D).

The messages looked like this:

Messages in English and Polish encouraging to visit the links

We check what is behind the url shortener:

zip file !

Crunchpress seems to be a 'hacked' website:

crunchpress image folder with some aditional content

Lets download and unzip it:

Oh noez! no pics just exe : (

Quick scan @ virustotal.com gives 7/44 and identifies the file as a dropper:

virustotal results

Not surprisingly it downloads something using HTTP protocol:

Actual bad stuff downloaded here

Let's see what we have there. First some quick geo localization request:

hi ho

Next a list of 'unwanted' domain names is downloaded (full list available here).